Kristina Irion

Kristina Irion is Senior Researcher at the Institute for Information Law (IViR) at the University of Amsterdam and Postdoctoral Researcher to the project Personalised Communication. She is the faculty organiser of the Annual IViR Summer Course on Privacy Law and Policy and teaches in the Research Master's in Information Law. She is Associate Professor (on research leave) at the School of Public Policy at Central European University in Budapest (Hungary).
Kristina obtained her Dr. iuris degree from Martin Luther University, Halle-Wittenberg (Germany), and holds a Masters degree in Information Technology and Telecommunications Law from the University of Strathclyde, Glasgow (UK). She was a part time Legal Officer at the Data Protection Authority in Berlin and worked as Senior Regulatory Counsel for a German mobile network operator. Kristina also gained working experience as a trainee at the European Commission in Brussels and she was a visiting fellow at the Electronic Privacy Information Center (EPIC) in Washington.
Her research covers EU law, regulation and public policy in the fields of electronic communications, online media, content and services as well as privacy and data protection. As a Marie Curie Fellow she accomplished her individual research project on Governing Digital Information which explores how cloud computing transforms the (legal) relationship between individuals and their personal records. She lead-authored a recent study which identifies possible tensions between EU data protection law and free trade agreements. She is intrigued by the combined effects of individuals' online activities and commercial surveillance on society and global information governance.
Kristina was key personnel of four collaborative European research projects on privacy, independent media supervisory authorities, and building functioning media institutions. She provided expertise to the European Commission and the European Parliament, the Council of Europe, the OECD and ENISA as well as collaborating with the Centre for European Policy Studies (CEPS). As a member of the Scientific Committee, she contributes to the organisation of the annual Computer Privacy and Data Protection (CPDP) Conference. She is a member of the international advisory board of the Electronic Privacy Information Center (EPIC).

Publications

This study, commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee, appraises the European Commission’s proposal for an ePrivacy Regulation. The study assesses whether the proposal would ensure that the right to the protection of personal data, the right to respect for private life and communications, and related rights enjoy a high standard of protection. The study also highlights the proposal’s potential benefits and drawbacks more generally.

Algorithmic agents permeate every instant of our online existence. Based on our digital profiles built from the massive surveillance of our digital existence, algorithmic agents rank search results, filter our emails, hide and show news items on social networks feeds, try to guess what products we might buy next for ourselves and for others, what movies we want to watch, and when we might be pregnant. Algorithmic agents select, filter, and recommend products, information, and people; they increasingly customize our physical environments, including the temperature and the mood. Increasingly, algorithmic agents don’t just select from the range of human created alternatives, but also they create. Burgeoning algorithmic agents are capable of providing us with content made just for us, and engage with us through one-of-a-kind, personalized interactions. Studying these algorithmic agents presents a host of methodological, ethical, and logistical challenges.
The objectives of our paper are two-fold. The first aim is to describe one possible approach to researching the individual and societal effects of algorithmic recommenders, and to share our experiences with the academic community. The second is to contribute to a more fundamental discussion about the ethical and legal issues of “tracking the trackers”, as well as the costs and trade-offs involved. Our paper will contribute to the discussion on the relative merits, costs and benefits of different approaches to ethically and legally sound research on algorithmic governance. We will argue that besides shedding light on how users interact with algorithmic agents, we also need to be able to understand how different methods of monitoring our algorithmically controlled digital environments compare to each other in terms of costs and benefits. We conclude our article with a number of concrete suggestions for how to address the practical, ethical and legal
challenges of researching algorithms and their effects on users and society.

Smart TV and online media enable precise monitoring of online media consumption, which also forms the basis for personalised recommendations. This new practice challenges EU policy in two respects. Firstly, the legality of monitoring individual media consumption and using personal data of users is primarily addressed under data protection law. Secondly, tracking of viewing behaviour and personalisation of media content can also affect individuals’ freedom to receive information, as well as the realisation of media policy objectives such as media freedom and pluralism, implications that so far are not reflected in media law and policy, or only marginally. This article addresses the increasing reliance on personal data and personalised services in the audiovisual and online media sector and queries the appropriateness of the legal status quo in light of implementation and enforcement actions in Germany and the Netherlands. The analysis concludes with a call for media policy makers and regulators to pay more attention to the issue of ‘smart surveillance’ of media users, and develops a number of concrete recommendations on how to accommodate the specific privacy concerns of media users.

New technologies, purposes and applications to process individual’s personal data are developed on a massive scale. But we have not only entered the ‘golden age of personal data’ in terms of its exploitation: ours is also the ‘golden age of personal data’ in terms of regulation of its use. In this contribution, we explain how regulating the processing of an individual’s personal data can be a proxy of intervention, which directly or indirectly could benefit other individual rights and freedoms. Understood as an enabling right, the architecture of EU data protection law is capable of protecting against many of the negative short- and long-term effects of contemporary data processing. The new General Data Protection Regulation certainly strengthens aspects of this core architecture but certain regulatory innovations to cope with technological advancements and the data-driven economy appear less capably of yielding broad protection for individuals fundamental rights and freedoms. We conclude that from the perspective of protecting individual fundamental rights and freedoms, it would be worthwhile to explore alternative (legal) approaches of individual protection in contemporary data processing.

A shared issue agenda provides democracies with a set of topics that structure the
public debate. The advent of personalized news media that use smart algorithms to tailor the
news offer to the user challenges the established way of setting the agenda of such a common
core of issues. This paper tests the effects of personalized news use on perceived importance
of these issues in the common core. In particular we study whether personalized news use
leads to a concentration at the top of the issue agenda or to a more diverse issue agenda with
a long tail of topics. Based on a cross-sectional survey of a representative population sample
(N=1556), we find that personalized news use does not lead to a small common core in which
few topics are discussed extensively, yet there is a relationship between personalized news
use and a preference for less discussed topics. This is a result of a specific user profile of
personalized news users: younger, more educated news users are more interested in topics at
the fringes of the common core and also make more use of personalized news offers. The
results are discussed in the light of media diversity and recent advances in public sphere
research.

Study carried out for the European Commission by Visionary Analytics in cooperation with SQW Limited, Ramboll Management Consulting and with support from the Advisory Board: Dr. K. Irion, M. Ledger, Dr. E. Varney, A. Moledo, Brussels: European Commission, 2016.

The current EU rules on the independence of audiovisual media regulators (Article 30 AVMSD) have little to no impact on the actual performance of regulators, which are under the discretion of MS. […] [E]stablishment of concrete requirements have the largest potential for de facto safeguarding independence of regulators and thus more effective transposition of the AVMSD and the preservation of free and pluralistic media.

The article focuses on the interplay between European Union (EU) law on privacy and data protection and international trade law, in particular the General Agreement on Trade in Services (GATS) and the WTO dispute settlement system. The argument distinguishes between the effects of international trade law in the EU legal order on the one hand, and, on the other hand, how EU data protection law would fare in a hypothetical challenge under the GATS. The contribution will apply international trade law and the general exception in GATS Article XIV to typical requirements stemming from EU data protection law, especially on transfers of personal data to third countries. The article enumerates the specific legal risks for defending EU law on privacy and data protection and explains the practical implications of its hypothetical challenge under the GATS. These insights could be useful for the EU’s negotiators of the future bi- or multilateral free trade agreements, notably the Transatlantic Trade and Investment Partnership and the Trade in Services Agreement.

IRIS Special, European Audvisual Observatory, Strasbourg 2016.
ISBN 9789287182395.
See here for more information and ability to purchase publication.

The structure of this study is built around the following questions:
- What is smart TV?
- How does smart TV compare with other forms of audiovisual media?
- What regulatory frameworks govern smart TV?
- What guidance can be found in selected country-specific case studies?
- What are the dangers associated with the collection, storage and processing of private user information by commercial parties?
- How are relevant regulatory frameworks likely to evolve?

Samsung have warned owners of their smart TVs that the system’s voice recognition could actually be recording and sharing their private conversations. This “bad buzz” comes at a time when Brussels is in the process of adopting new legislation – the General Data Protection Regulation (GDPR) - aimed at protecting us from abuse and misuse of our private data and consumer behaviour big data collected by smart equipment such as television sets. The European Audiovisual Observatory, part of the Council of Europe in Strasbourg, is keeping track of these developments and has published this IRIS Special report entitled "Smart TV and data protection".

The frequency with which the Court of Justice of the European Union (CJEU) rules on the interpretations of the rights to privacy and data protection in European Union (EU) law is constantly accelerating. The increasing case-load can certainly be attributed to the contemporary relevance of these issues in a data-driven society which leads to more cases being referred to the CJEU. However, contrary to earlier case-law, which had a rather limited effect, the recent CJEU decisions have gained prominence for their principle contribution to EU law. In 2014, the Court issued a landmark ruling in the case <em>Digital Rights Ireland and Seitlinger v Minister for Communications, Marine and Natural Resources</em> which catapulted EU citizens’ privacy and data protection rights from the margins of EU law to the center stage. Already in 2015, in the case <em>Maximillian Schrems v Data Protection Commissioner</em>, the Court has had another occasion to review EU legislation for its compliance with the rights to privacy and data protection under the EU Charter. The invalidation of the EU-U.S. Safe Harbour agreement by the Court has been stirring a global resonance in addition to receiving ample and arguably controversial coverage in international news.

This contribution looks at how the fundamental rights to privacy and data protection are protected in the EU legal order. It primarily assesses the CJEU’s case-law’s trajectory in this field as well as the impact of its decision practice in EU law. Hereby I discuss whether the CJEU holds a particular regard for the rights to privacy and data protection since the Charter of Fundamental Rights of the EU (CFR) was accorded binding legal value in 2009.5 Particular focus is given to the discussion of the two judgments in 2014 and 2015 cited above with which the Court underscored its determination to effectively protect these fundamental rights in the scope of EU law.

(2015) International Journal of Law and Information Technology 23(4): 348-371, DOI: 10.1093/ijlit/eav015, available at http://ijlit.oxfordjournals.org/content/23/4/348.abstract

In line with the overall trend individuals’ personal affairs, too, are composed of digital records to an increasing amount. At about the same time, the era of local storage in end user equipment is about to give way to remote computing where data resides on third party equipment (cloud computing). Once information, and even the most personal one, is no longer stored on personal equipment the relationship between individual users and their digital assets belonging to them is becoming increasingly abstract.
This contribution focuses on the implications of cloud computing for individuals’ unpublicized digital records. The question to be answered is whether - taken together - the progressing virtualization and the disruption of physical control produce a backslide for individual positions of rights. The paper introduces the legal treatment of users’ digital personal records and how a technical transformation in combination with disparate legal protection and prevailing commercial practices are bound to impact the distribution of rights and obligations.

At the time of writing I am at the Computer Privacy and Data Protection Conference, for insiders just CPDP 2015, one of several mega-events with more than 1,000 participants from governments, European Union (EU) institutions, corporations, civil society and privacy advocates, and plenty of lawyers and academics just like me. This is emblematic of the transformation privacy and data protection have undergone from a somewhat dull area of law to a very visible cutting-edge legal expertise.

In Digital Rights Ireland, the Court of Justice invalidated the 2006 Data Retention Directive, which required private providers to retain for a considerable period electronic communication metadata for law enforcement purposes. In this landmark ruling, the EU judiciary introduced a strict scrutiny test for EU legislative acts that interfere seriously with important rights protected by the Charter of Fundamental Rights and the European Convention on Human Rights—in this case, the rights to privacy and data protection—and applied a rigorous assessment of the proportionality of the measure under the Charter, criticising numerous aspects of the Directive. This article presents and analyses the judgment, discussing its implications for constitutional review and constitutionalism in the European Union, and the substantive and procedural constraints that it imposes on EU and national data retention schemes. It concludes by reflecting on the ruling’s impact on European integration and data related policies.

International media assistance programs accompanied the democratic media transition in Albania, Bosnia and Herzegovina, Kosovo, Macedonia and Serbia with varying intensity. These countries untertook a range of media reforms to conform with accession requirements of the European Union (EU) and the standards of the Council of Europe, among others. This article explores the nexus between the democratic transformation of the media and international media assistance (IMA) as constrained by the local political conditions in the five countries of the Western Balkans. It aims to enhance the understanding of conditions and factors that influence media institution building in the region and evaluates the role of international assistance programs and conditionality mechanisms herein.

The cross-national analysis concludes that the effects of IMA are highly constrained by the local context. A decade of IMA of varying intensity is not sufficient to construct media institutions when, in order to function properly, they have to outperform their local context. From today’s vantage point it becomes obvious, that in the short-term scaling-up IMA does not necessarily improve outcomes. The experiences in the region suggest that imported solutions have not been sufficiently cognitive of all aspects of local conditions and international strategies have tended to be rather schematic and have lacked strategic approaches to promote media policy stability, credible media reform and implementation. To a certain extent, the loss of IMA effectiveness is also self-inflicted.

In: M. Rotenberg, J. Horwitz & J. Scott, eds., Visons of Privacy in a Modern Age, New York: New Press, 2015 in press.
Also available at SSRN: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2528999

The innovations on which today’s Internet proliferated have been a major gift from its founders and the US government to the world. Ever since the rise of the Internet it has attracted utopian ideas of a free and borderless cyberspace, a men-made global commons that serves an international community of users. First commercialization and now the prevalence of state surveillance have significantly depreciated the utopist patina.
Internet’s borderless nature which was once heralded to rise above the nation state has actually enabled some states to rise above their borders when engaging in mass surveillance that affects users on a global scale. International human rights law and emerging Internet governance principles have not been authoritative enough to protect users’ privacy and the confidentiality of communications.
More or less openly, Western democracies embarked on the path of mass surveillance with the aim to fight crime and defend national security. Although country specific approaches vary, reflecting political and ideological differences, mass surveillance powers frequently raise issues of constitutional compatibility. Beyond striking the balance between public security and privacy, systemic surveillance carries the potential to erode democracy from the inside.
This chapter’s focus is on the safeguards and accountability of mass surveillance in Europe and the US and how this affects transatlantic relations. It queries whether national systems of checks and balances are still adequate in relation to the growth and the globalization of surveillance capabilities. Lacking safeguards and accountability at the national level can exacerbate in the context of transnational surveillance. It can lead to asymmetries between countries which are precisely at the core of the transatlantic rift over mass surveillance. The chapter concludes with a brief review of proposals how to reduce them.

The book is based on research carried out in the context of the INDIREG and MEDIADEM projects.
More information about the book: http://www.ecrea.eu/publications/bookseries
See here the front and back cover of the book.

Media independence is vital for democracies, and so is the independence of the regulatory bodies governing it. The Independence of the Media and its Regulatory Agencies explores the complex relationship between media governance and independence of media regulatory authorities within Europe, which form part of the wider framework in which media’s independence may flourish or fade. Based on research in more than forty countries, the contributions analyse the independence of regulators and draw links between social, financial, and legal frameworks. The contributing authors offer theoretical perspectives that combine law and public policy; review research methods; and offer a set of case studies that explore how the national socio-political context influences local institutions. As a whole, the book offers an accessible and relevant account of research into regulatory independence as applied to the audiovisual media sector in Europe.